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Finance  and  Accounting  Service  Indianapolis  Center  (Report  No.  98-038) 


We  are  providing  this  audit  report  for  information  and  use.  This  audit  was 
performed  in  response  to  the  requirements  of  the  Chief  Financial  Officers  Act  of  1990, 
as  amended  by  the  Federal  Financial  Management  Act  of  1994.  We  considered 
management  conaments  on  a  draft  of  this  report  in  preparing  the  final  report. 

As  a  result  of  management  comments,  we  revised  the  report  to  state  that  the 
Deputy  Director  for  Information  Management,  Defense  Finance  and  Accounting 
Service,  is  responsible  for  issuing  policy  regarding  information  management  efforts.  In 
addition,  we  clarified  that  the  database  applications  referred  to  in  the  report  are 
personal  computer-based,  end-user  developed  automated  products. 

Comments  on  the  draft  of  this  report  conformed  to  the  requirements  of  DoD 
Directive  7650.3  and  left  no  unresolved  issues.  Therefore,  no  additional  comments  are 
required. 

We  appreciate  the  courtesies  extended  to  the  audit  staff.  Questions  on  the  audit 
should  be  directed  to  Mr.  Richard  B.  Bird,  Audit  Program  Director,  at  (703)  604-9175 
(DSN  664-9175;  e-mail:  rbird@dodig.osd.mil)  or  Mr.  John  J.  Vietor,  Audit  Project 
Manager,  at  (317)  542-3855  (DSN  699-3855;  e-mail:  jvietor@dodig.osd.mil).  See 
Appendix  C  for  the  report  distribution.  The  audit  team  members  are  listed  inside  the 
back  cover. 
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Executive  Summary 


Introduction.  The  Defense  Finance  and  Accounting  Service  Financial  Systems 
Organization,  under  the  control  of  the  Deputy  Director  for  Information  Management, 
Defense  Finance  and  Accounting  Service,  is  responsible  for  financial  management 
systems  operations  and  policy  at  the  Defense  Finance  and  Accounting  Service  centers. 
The  Defense  Finance  and  Accounting  Service  Indianapolis  Center  is  responsible  for 
compiling  the  Army  general  fund  financial  statements.  To  accomplish  ^s 
responsibility,  database  applications  are  used  for  processing  the  financial  data  received 
from  DoD  field  accounting  entities  and  for  compiling  the  financial  statements.  During 
FY  1996,  database  applications  processed  general  ledger  data  totaling  about 
$1.7  trillion  and  generated  Army  general  fond  financial  statements  with  assets  totaling 
about  $201  billion  and  expenses  totaling  about  $64.7  billion. 

Audit  Objective.  The  audit  objective  was  to  determine  whether  the  database 
applications  used  by  the  Defense  Finance  and  Accounting  Service  Indianapolis  Center 
to  compile  the  Army  general  fund  financial  statements  were  subject  to  adequate 
development  and  maintenance  management  control  procedures.  We  also  reviewed  the 
adequacy  of  the  overall  management  control  program  as  it  related  to  the  audit 
objective. 

Audit  Results.  The  Defense  Finance  and  Accounting  Service  did  not  establish  policy 
and  management  control  procedures  for  database  applications  used  for  compiling  the 
Army  general  fond  financial  statements.  As  a  result,  until  database  applications  are 
replaced  by  long-term  financial  reporting  solutions,  database  applications  are  subject  to 
inefficient  use  and  increase  the  risk  of  misstatements  being  introduced  into  the  financial 
statements.  Also,  adjustments  totaling  about  $2.1  billion  had  to  be  made  to  Army 
general  fund  financial  data.  Similar  database  problems  affect  the  compilation  of  other 
Defense  agency  financial  statements  by  the  Defense  Finance  and  Accounting  Service 
Indianapolis  Center.  See  Appendix  A  for  details  on  the  management  control  program. 

Summary  of  Recommendations.  We  recommend  that  the  Deputy  Director  for 
Information  Management,  Defense  Finance  and  Accounting  Service,  and  the  Director, 
Financial  Systems  Organization,  establish  policy  requiring  the  implementation  of 
management  control  procedures  for  the  development  and  maintenance  of  database 
applications  at  the  Defense  Finance  and  Accounting  Service  centers.  We  also 
recommend  that  the  Director,  Defense  Finance  and  Accounting  Service  Indianapolis 


Center,  implement  policy  requiring  management  control  procedures  for  database 
application  development  and  maintenance  at  the  Defense  Finance  and  Accounting 
Service  Indianapolis  Center.  Management  control  procedures  should  include: 

o  training  personnel  on  the  development  of  database  applications; 

o  testing  database  applications  prior  to  use; 

0  requiring  management  authorization  of  changes  to  database  applications 
before  changes  are  made;  and 

0  implementing  a  change  control  program  for  database  application 
maintenance. 

Management  Comments.  The  Acting  Director,  Defense  Finance  and  Accounting 
Service,  concurred  with  the  audit  recommendations.  He  agreed  that  policies  governing 
the  management  of  information  systems  should  be  strengthened  to  better  publicize  that 
the  existing  policies  also  cover  applications  used  on  a  personal  computer-based 
platform.  He  also  agreed  to  implement  policy  that  requires  management  control 
procedures  for  developing  and  maintaining  database  applications.  See  Part  I  for  a 
summary  of  management  comments  and  Part  III  for  the  complete  text  of  the 
management  comments. 

Audit  Response.  In  response  to  management  comments,  we  revised  the  report  to  state 
that  the  Deputy  Director  for  Information  Management,  Defense  Finance  and 
Accounting  Service,  was  responsible  for  issuing  information  system  policy,  not  the 
Defense  Finance  and  Accounting  Service  Financial  Systems  Organization.  We  also 
clarified  that  the  database  applications  referred  to  in  the  report  are  personal 
computer-based,  end-user  developed,  automated  products.  We  consider  the  comments 
and  proposed  corrective  actions  from  the  Acting  Director,  Defense  Finance  and 
Accounting  Service,  to  be  fully  responsive  to  the  audit  recommendations.  Therefore, 
no  additional  comments  are  required. 
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Audit  Background 


Chief  Financial  Officers  Act.  Public  Law  101-576,  the  Chief  Financial 
Officers  (CFO)  Act  of  1990,  as  amended  by  Public  Law  103-365,  the  Federal 
Financial  Management  Act  of  1994,  requires  the  annual  preparation  and  audit  of 
financial  statements  for  23  executive  departments  and  agencies,  as  well  as 
Government  corporations.  The  CFO  Act  requires  the  Inspectors  General,  or 
appointed  external  auditors,  to  audit  financial  statements  in  accordance  with 
generally  accepted  Government  auditing  standards  and  other  standards 
established  by  the  Office  of  Management  and  Budget  (0MB). 

Role  of  the  Defense  Finance  and  Accounting  Service  Indianapolis  Center. 
Under  the  direction  of  the  CFO  Act  and  the  Federal  Financial  Management  Act, 
the  Defense  Finance  and  Accounting  Service  (DFAS)  Indianapolis  Center 
compiles  the  financial  statements  for  the  Army  general  fund.  The  DFAS 
Indianapolis  Center  uses  financial  data  from  DoD  field  accounting  entities  and 
other  sources  to  accomplish  this  responsibility.  DFAS  Indianapolis  Center 
personnel  then  selectively  query  data  from  the  initial  financial  databases  used  for 
financial  statement  reporting.  Query  results  are  used  as  input  for  database 
applications. 

Database  Applications.  The  DFAS  Indianapolis  Center  uses  database 
applications  to  perform  its  financial  reporting  responsibilities.  The  development 
and  use  of  database  applications  by  the  DFAS  Indianapolis  Center  are  an  interim 
solution  to  facilitate  timely  CFO  reporting.  Ease  of  development,  fast 
turnaround  time,  the  ability  to  meet  specific  end-user  requirements,  and  ease  of 
use  make  the  applications  valuable  analytical  tools.  Database  applications  will 
continue  to  be  used  only  until  long-term  CFO  reporting  solutions  are 
implemented.  Database  applications,  as  used  by  the  DFAS  Indianapolis  Center, 
are  personal  computer-based,  end-user  developed  automated  products  created  by 
using  advanced  programming  capabilities  inherent  in  commercial  database 
software  programs,  through  processing  and  output  specifications  provided  by 
the  software. 

DFAS  Indianapolis  Center  personnel  applied  database  applications  to  selective 
queries  from  the  Federal  Financial  System  (FFS,  the  general  ledger)  and  the 
Headquarters  Accounting  and  Reporting  System  (HQARS).  Internal  query 
applications  performed  those  selective  queries.  DFAS  Indianapolis  Center 
personnel  used  database  application  ouq)ut  as  the  basis  for  adjustments  to  the 
Financial  Statement  Data  Base  (FSDB).  Database  applications  can  also  be 
applied  to  financial  data  submitted  by  other  Defense  agencies.  The  following 
figure  shows  where  the  DFAS  Indianapolis  Center  used  database  applications  in 
the  financial  reporting  process. 
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Flow  of  Information  Through  Database  Applications 


See  Appendix  B  for  a  more  detailed  discussion  of  database  applications  and  the 
financial  statement  reporting  process  at  the  DFAS  Indianapolis  Center. 


Audit  Objectives 


The  overall  audit  objective  was  to  determine  whether  the  database  applications 
the  DFAS  Indianapolis  Center  used  for  compiling  the  Army  financial  statements 
were  subject  to  adequate  development  and  maintenance  management  control 
procedures.  We  also  reviewed  the  adequacy  of  the  management  control 
program,  as  it  applied  to  the  overall  audit  objective.  See  Appendix  A  for  a 
discussion  of  the  audit  process. 
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Database  Application  Development  and 
Maintenance  Controls 

Policy  and  management  control  procedures  were  not  established  for 
database  applications  critical  to  compiling  the  Army  general  fund 
financial  statements  (the  Army  financial  statements)  at  the  DFAS 
Indianapolis  Center. 

0  The  DFAS  Financial  Systems  Organization  (FSO)  did  not 
establish  policies  on  the  development  and  maintenance  of  database 
applications  used  to  compile  the  Army  financial  statements  at  the  DFAS 
Indianapolis  Center. 

o  The  DFAS  Indianapolis  Center  did  not  implement  management 
control  procedures  for  the  development  and  maintenance  of  database 
applications  used  to  compile  the  Army  financial  statements. 

As  a  result,  at  least  16  database  applications  critical  to  compiling  the 
financial  statements  for  the  Army  general  fund  were  subject  to  inefficient 
use  or  failure,  thereby  increasing  Ae  risk  of  introducing  misstatements 
into  the  Army  financial  statements.  Also,  about  $2. 1  billion  in 
adjustments  to  the  FY  1996  accounts  payable  balance  were  needed. 
Similar  management  control  weaknesses  also  exist  for  the  compilation  of 
Defense  agency  financial  data  at  the  DFAS  Indianapolis  Center. 


Criteria  Requiring  Management  Controls 


OMB  Circular  No.  A-130,  "Management  of  Federal  Information  Resources," 
June  25,  1993,  requires  that  agencies  establish  management  control  procedures 
to  assure  that  appropriate  administrative,  physical,  and  technical  safeguards  are 
incoiporated  into  all  new  applications  and  into  significant  modifications  to 
existing  applications.  OMB  Circular  No.  A-127,  "Financial  Management 
Systems,”  July  23,  1993,  states  that  automated  processes  using  an  integrated 
data  base,  such  as  the  general  ledger-based  FSDB  used  by  database  applications, 
are  considered  part  of  a  financial  management  system,  which  in  turn  are 
covered  by  OMB  Circular  No.  A-130.  Circular  No.  A-127  also  requires  that 
financial  management  systems  comply  with  requirements  related  to  internal 
controls,  maintenance,  and  training  and  user  support.  The  link  to  a  financial 
management  system  subjects  database  applications  to  the  same  management 
controls  required  by  OMB  Circular  No.  A-127. 
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Database  Application  Development  and  Maintenance  Controls 


DFAS  Responsibilities 


DFAS  Office  Responsibilities.  The  DFAS-FSO,  under  the  control  of  the 
DFAS  Deputy  Director  for  Information  Management,  is  responsible  for 
financial  management  systems  operations  and  policy  and  for  the  development 
and  maintenance  of  financial  management  systems  at  the  DFAS  Centers.  The 
DFAS-FSO  is  also  responsible  for  standardizing  the  policies,  procedures,  and 
practices  used  by  application  developers  within  DFAS.  The  DFAS-FSO  also 
oversees  the  Financial  Systems  Activities  located  at  the  DFAS  Centers, 
including  the  DFAS  Indianapolis  Center. 

The  DFAS  Financial  Systems  Activities  do  not  have  policy-making 
responsibilities.  Instead,  they  are  responsible  for  implementing  the  policies  set 
forth  by  the  DFAS-FSO.  The  DFAS  Financial  Systems  Activity,  Indianapolis 
Center,  is  also  responsible  for  developing  applications  for  the  DFAS 
Indianapolis  Center. 

DFAS  Indianapolis  Center  Offices.  Three  DFAS  Indianapolis  Center  offices 
are  involved  with  the  implementation  of  database  applications  in  the  financial 
reporting  process,  the: 

o  Deputy  Director  for  Accounting  Operations; 

o  Directorate  for  Departmental  Accounting  (the  Directorate);  and 

0  Data  Control  and  Operational  Support  Team  (the  Support  Team). 

Deputy  Director  for  Accounting  Operations.  The  Deputy  Director  for 
Accounting  Operations  has  the  overall  responsibility  for  compiling  the  Army 
financial  statements  and  for  other  Defense  agencies’  financial  statements,  in 
accordance  with  the  CFO  Act. 

Directorate  for  Departmental  Accounting.  The  Directorate  is  under 
the  Deputy  Director  for  Accounting  Operations  and  is  responsible  for  accurately 
compiling  the  financial  data  necessary  to  prepare  the  Army  financial  statements 
in  a  timely  manner.  The  Directorate  is  also  responsible  for  preparing  the 
footnotes  and  management  data  that  make  up  the  annual  financial  report  sent  to 
the  Under  Secretary  of  Defense  (Comptroller). 

Data  Control  and  Operational  Support  Team.  The  Support  Team  is  a 
Directorate  for  Departmental  Accounting  team,  acting  as  a  liaison  to  system  or 
application  personnel.  The  Support  Team  is  also  responsible  for  developing  and 
testing  applications  prior  to  passing  them  on  to  users.  The  Support  Team 
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already  has  copies  of  some  applications  used  for  financial  reporting  and  has 
basic  information  about  those  applications.  The  Support  Team  also  has 
responsibilities  not  related  to  the  use  of  database  applications. 


Attempts  at  Drafting  Management  Control  Policies  and 
Procedures 


The  DFAS  Deputy  Director  for  Information  Management  and  the  DFAS-FSO 
had  not  established  policies  subjecting  database  applications  to  effective 
development  and  maintenance  of  management  control  procedures.  In 
June  1995,  the  DFAS  Indianapolis  Center  developed  a  draft  Standing  Operating 
Procedure  (SOP),  subjecting  database  applications  to  development  and 
maintenance  management  controls,  but  did  not  implement  the  draft  SOP.  The 
DFAS  Indianapolis  Center  did  not  follow  through  with  the  draft  SOP  because 
recent  reorganizations  from  a  function-oriented  structure  into  a  team-oriented 
structure  made  it  impractical  to  implement.  By  not  implementing  management 
controls  for  database  applications,  the  DFAS-FSO  and  the  DFAS  Indianapolis 
Center  increased  the  risk  of  introducing  misstatements  to  the  Army  financial 
statements.  The  DFAS  Deputy  Director  for  Information  Management  and  the 
DFAS-FSO  needs  to  develop  management  control  policies  over  database 
application  development  and  maintenance,  and  the  DFAS  Indianapolis  Center 
needs  to  implement  the  necessary  management  control  procedures. 


Development  and  Maintenance  Controls 


The  DFAS  Indianapolis  Center  did  not  establish  management  control  procedures 
for  the  development  and  maintenance  of  database  applications  critical  to 
compiling  the  Army  financial  statements.  The  DFAS  Indianapolis  Center 
extensively  used  database  applications  for  compiling  the  financial  statements, 
processing  about  $1.7  trillion  of  FY  1996  general  ledger  accounts  affecting 
197  appropriations.  However,  the  DFAS  Indianapolis  Center  did  not  take  the 
steps  necessary  to  reduce  the  risk  that  database  applications  could  introduce 
misstatements  into  the  financial  statements.  The  use  of  database  applications  in 
the  compilation  of  the  FY  1996  Army  financial  statements  resulted  in  the  need 
for  an  additional  44  adjustments,  totaling  about  $2.1  billion,  to  the  accounts 
payable  balance  on  the  Statement  of  Financial  Position.  Effective  management 
control  procedures  for  database  application  development  and  maintenance 
reduce  Ae  risk  introducing  misstatements  to  the  Army  financial  statements. 
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Development  Controls.  The  DFAS  Indianapolis  Center  did  not  implement 
management  control  procedures  for  database  application  development. 
Management  control  procedures  addressing  personnel  training  and  output  testing 
were  not  applied  to  database  applications.  The  implementation  of  effective 
management  control  procedures,  such  as  developer  training  and  output  testing 
are  necessary  to  ensure  that  database  applications  do  not  introduce  misstatements 
into  the  Army  financial  statements. 

Developer  Training.  Database  application  developers  were  not  trained 
in  developing  applications  fliat  would  effectively  produce  the  desired  output. 
Without  Ais  training,  developers  relied  only  on  their  ability  to  code  a  database 
application  in  a  manner  that  would  produce  the  desired  results.  The  lack  of 
trained  developers  increases  the  risk  of  introducing  incorrect  financial  data  into 
financial  statements.  Training  developers  at  the  DFAS  Indianapolis  Center  in 
the  proper  design  of  database  applications  will  provide  assurance  that  they  will 
operate  effectively. 

Output  Testing.  The  DFAS  Indianapolis  Center  has  performed  only 
limited  testing  of  the  database  applications  used  to  compile  the  Army  financial 
statements.  Database  applications  should  be  tested  before  being  used  to  ensure 
that  application  output  will  not  introduce  misstatements  into  the  FSDB  and 
subsequently  into  the  financial  statements.  There  was  no  evidence  of  any 
comprehensive  test  plans.  For  output  testing  to  be  an  effective  control 
technique,  the  test  plan  and  ouq)ut  should  be  sufficiently  documented  and 
approved  by  management.  Also,  approved  testing  documentation  and 
conclusions  should  be  retained  in  a  secure  central  location. 

Management  Controls  Over  Development.  While  database  application  control 
weaknesses  are  by  no  means  the  only  control  weaknesses  preventing  the 
rendering  of  a  favorable  audit  opinion  on  the  Army  general  fund  financial 
statements,  the  controls  are  crucial  and  necessary  to  allow  the  auditors  to  place 
reliance  on  the  financial  statement  compilation  process.  The  implementation  of 
adequate  management  control  procedures  over  database  application  development 
will  also  assist  in  the  implementation  of  adequate  management  control 
procedures  over  database  application  maintenance. 

Maintenance  Controls.  The  DFAS  Indianapolis  Center  did  not  implement 
management  control  procedures  for  database  application  maintenance.  The 
DFAS  Indianapolis  Center  needs  management  control  procedures  to  ensure  that 
existing  applications  remain  effective  when  changed.  For  management  control 
procedures  to  be  effectively  applied  to  database  application  maintenance,  the 
universe  of  the  applications  needs  to  be  known. 

Change  Controls.  The  DFAS  Indianapolis  Center  did  not  implement 
management  control  procedures  for  changes  to  database  applications.  When  a 
change  is  made  to  database  applications,  output  testing  is  necessary  to  ensure 
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that  the  application  will  produce  the  intended  results.  For  data  output  testing 
purposes,  a  changed  database  application  is  the  same  as  a  new  database 
application.  The  rationale  for  changes  should  be  documented  and  approved  at 
the  supervisory  level.  Output  testing  should  also  be  completed,  documented, 
and  approved  before  the  application  is  applied  to  live  data.  Without  proper 
control  procedures  for  changed  applications  and  subsequent  testing,  Aere  is  no 
assurance  that  database  applications  will  continue  to  operate  effectively. 

Catalog  of  Database  Applications.  The  DFAS  Indianapolis  Center  did 
not  prepare  a  catalog  of  database  applications.  The  DFAS  Indianapolis  Center 
catalogued  only  database  applications  defined  as  "mission-critical"  and  did  not 
make  a  distinction  as  to  their  criticality  to  the  financial  reporting  process.  The 
DFAS  Indianapolis  Center  cannot  perform  proper  management  control 
techniques  until  all  database  applications  used  for  compiling  the  Army  financial 
statements  have  been  identified  and  catalogued.  A  catalog  must  be  complete 
and  regularly  updated  to  remain  effective. 

Management  Controls  Over  Maintenance.  The  DFAS  Indianapolis  Center 
did  not  establish  adequate  management  control  procedures  over  the  maintenance 
of  database  applications.  Effective  management  control  procedures  are 
necessary  to  ensure  that  application  ouq)ut  does  not  subject  the  Army  financial 
statements  to  an  increased  risk  of  misstatements.  With  the  significant  role  that 
database  applications  play  in  the  CFO  financial  reporting  process,  management 
controls  over  maintenance  of  database  applications  must  be  implemented  and 
must  be  operating  effectively. 


Conclusion 


Management  controls  over  database  application  development  require  output 
testing  prior  to  use  and  developer  training.  Without  these  management  controls, 
the  DFAS  Indianapolis  Center  has  no  assurance  that  the  use  of  database 
applications  will  not  introduce  additional  misstatements  into  the  Army  financial 
statements.  Likewise,  the  absence  of  management  controls  over  database 
application  maintenance,  such  as  change  aufliorization,  output  testing,  and 
cataloging,  does  not  ensure  that  properly  developed  database  applications  will 
continue  to  prevent  the  introduction  of  errors  into  the  Army  financial 
statements.  Effective  and  efficient  development  and  maintenance  management 
controls  and  the  implementation  of  policies  and  procedures  for  the  use  of 
database  applications  at  the  DFAS  Indianapolis  Center  will  minimize  the  risk  of 
introducing  misstatements  into  the  Army  financial  statements.  Management 
control  weaknesses  are  not  the  only  problem  preventing  auditors  from  rendering 
a  favorable  opinion  on  the  financial  statements.  Management  controls  are 
necessary  in  order  for  managers  and  auditors  to  place  reliance  on  the  financial 
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statement  compilation  process.  Effective  management  controls  will  also  help 
preserve  the  integrity  of  general  ledger  accounts  in  excess  of  $1.7  trillion, 
affecting  197  Army  general  fund  appropriations.  Effective  controls  will  help 
minimize  the  need  for  additional  adjustments  to  financial  data  prior  to  compiling 
the  financial  statements.  Similar  management  control  weaknesses  also  exist  in 
the  compilation  processes  for  other  Defense  agency  financial  statements 
prepared  by  the  DFAS  Indianapolis  Center  because  the  compilation  processes 
use  some  of  the  same  database  applications  as  are  used  for  the  Army  general 
fund  compilation  process. 


Recommendations,  Management  Comments,  and  Audit 
Response 


1.  We  recommend  that  the  Deputy  Director  for  Information  Management, 
Defense  Finance  and  Accounting  Service,  and  the  Director,  Financial 
Systems  Organization,  develop  policy  that  requires  management  control 
procedures  for  database  applications  at  the  Defense  Finance  and 
Accounting  Service  centers. 

Management  Comments.  The  Defense  Finance  and  Accounting  Service 
concurred,  stating  that  information  management  policies  are  contained  in  DFAS 
Regulation  8000. 1-R,  “Information  Management  Policy  and  Instructional 
Guidance,”  July  24,  1997,  and  that  the  Regulation  applies  to  all  systems  without 
regard  to  the  hardware  platform  on  which  they  operate.  The  Defense  Finance 
and  Accounting  Service  concluded  that  the  Regulation  should  be  strengthened  to 
publicize  that  it  does  cover  all  information  system  efforts,  including  personal 
computer-based,  end-user  developed  automated  products.  DFAS  8000. 1-R  was 
updated  as  of  October  15,  1997.  The  Defense  Finance  and  Accounting  Service 
also  stated  that  the  Deputy  Director  for  Information  Management  is  responsible 
for  information  management  policy,  not  the  Financial  Systems  Organization, 
and  clarified  that  the  database  applications  referred  to  in  the  report  are  personal 
computer-based,  end-user  developed,  automated  products. 

Audit  Response.  As  a  result  of  management  comments,  we  restated  the 
recommendation  to  direct  it  toward  both  the  Deputy  Director  for  Information 
Management  and  the  Financial  Systems  Organization.  We  also  more  clearly 
described  the  nature  of  database  applications.  Because  DFAS  concurred  with 
the  recommendation,  no  further  comments  are  required. 
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2.  We  recommend  that  the  Director,  Defense  Finance  and  Accounting 
Service  Indianapolis  Center,  implement  policy  that  requires  management 
control  procedures  for  the  development  and  maintenance  of  database 
applications.  At  a  minimum,  the  policy  should  include: 

a.  Training  personnel  on  the  development  of  database  applications. 

b.  Testing  output  data  from  new  database  applications  and 
retaining  management  approved  test  plans,  documentation,  and  conclusions 
in  a  secure  central  location. 

c.  Requiring  management  approval  of  changes  to  database 
applications  and  output  testing  of  changed  applications  before  they  are 
used. 


d.  Implementing  a  change  control  program  for  database 
applications,  including  preparing  and  updating  a  catalog  of  database 
applications  used  to  compile  the  Army  flnancial  statements. 

Management  Comments.  The  Defense  Finance  and  Accounting  Service 
concurred,  stating  that  policy  requiring  management  control  procedures  for 
developing  and  maintaining  database  applications  was  implemented  as  of 
October  15,  1997.  In  addition,  management  stated  that  the  16  database 
applications  that  were  the  focus  of  the  audit  had  already  been  brought  into 
compliance  with  required  management  control  procedures  by  the  time  our  draft 
audit  report  had  been  issued. 
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Appendix  A.  Audit  Process 


Scope  and  Methodology 


Audit  Work  Performed.  We  limited  our  financial-related  audit  to  the 
16  database  applications  the  DFAS  Indianapolis  Center  used  to  compile  the 
Army  financial  statements.  Our  examination  included  a  review  of: 

0  DFAS  policies  and  procedures  addressing  the  development  of  database 
applications; 

0  management  control  techniques  used  by  the  DFAS  Indianapolis  Center 
to  maintain  oversight  control  of  database  applications;  and 

0  efforts  taken  to  catalog  database  applications  used  by  the  DFAS 
Indianapolis  Center. 

Limitations  to  Audit  Scope.  We  did  not  attempt  to  identify  or  analyze 
database  applications  used  by  field  accounting  entities  before  data  submission  to 
the  DFAS  Indianapolis  Center.  Also,  we  did  not  attempt  to  identify  or  analyze 
spreadsheet  or  word  processing  applications  used  by  the  DFAS  Indianapolis 
Center  or  field  accounting  entities.  We  did  not  use  computer-processed  data  to 
perform  this  audit.  Further,  we  did  not  examine  the  accuracy  of  the  data 
analyzed  by  the  database  applications  or  the  ability  of  each  database  application 
to  manipulate  financial  data  in  the  intended  manner. 

Audit  Period  and  Standards.  We  performed  this  audit  as  a  part  of  our  annual 
audit  of  the  compilation  process  for  the  Army  financial  statements  at  the 
Defense  Finance  and  Accounting  Service  Indianapolis  Center.  The  audit  was 
performed  at  the  DFAS  Indianapolis  Center  from  September  1996  through 
May  1997.  The  audit  was  performed  in  accordance  with  auditing  standards 
established  by  the  Comptroller  General,  as  implemented  by  the  Inspector 
General,  DoD,  and  with  0MB  guidance;  however,  we  limited  our  scope  as 
noted  above.  The  audit  included  tests  of  management  controls  considered 
necessary. 

Contacts  During  the  Audit.  We  visited  or  contacted  individuals  and 
organizations  within  the  DoD.  Further  details  are  available  upon  request. 
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Management  Control  Program 


DoD  Directive  5010.38,  "Management  Control  (MC)  Program," 

August  26,  1996,  requires  DoD  organizations  to  implement  a  comprehensive 
system  of  management  controls  that  provides  reasonable  assurance  that 
programs  are  operating  as  intended  and  to  evaluate  the  adequacy  of  the  controls. 

Scope  of  Review  of  the  Management  Control  Program.  We  evaluated 
management  controls  over  the  process  that  the  DFAS  Indianapolis  Center  used 
to  control  the  development  and  maintenance  of  database  applications  in  the 
financial  reporting  process.  Specifically,  we  reviewed  the  management  control 
techniques  used  by  the  DFAS  Indianapolis  Center  to  manage  the  16  database 
applications  that  analyzed  financial  data  and  compiled  the  Army  financial 
statements.  We  did  not  assess  the  adequacy  of  management's  self-evaluation  of 
these  controls,  because  the  review  of  the  DFAS  Indianapolis  Center 
management  control  program,  as  it  relates  to  the  compilation  of  the  Army 
financial  statements,  will  be  covered  in  a  later  audit  report,  “Compilation  of 
Army  Financial  Statements  at  the  Defense  Finance  and  Accounting  Service 
Indianapolis  Center,”  Project  No.  6FI-2023.  We  did  not  examine  the 
management  control  program  for  the  DFAS-FSO  because  we  did  not  review 
DFAS-FSO  operations,  only  its  policy  statements. 

Adequacy  of  Management  Controls.  We  identified  material  management 
control  weaknesses,  as  defined  by  DoD  Directive  5010.38,  for  the  DFAS-FSO 
and  the  DFAS  Indianapolis  Center.  DFAS-FSO  had  not  implemented  policies 
for  the  development  and  maintenance  of  database  applications.  In  addition,  the 
DFAS  Indianapolis  Center  did  not  establish  management  control  procedures  for 
documenting  and  testing  database  applications.  These  weaknesses  were  not 
identified  by  the  DFAS  Indianapolis  Center  during  its  annual  internal  control 
review.  Recommendations  1.  and  2.  ,  if  implemented,  will  correct  the 
deficiencies.  A  copy  of  the  report  will  be  provided  to  the  senior  official 
responsible  for  management  controls  in  DFAS. 


Prior  Audits  and  Other  Reviews 


There  were  no  prior  reports  or  other  reviews  performed  during  the  last  5  years 
at  the  DFAS  Indianapolis  Center  that  related  directly  to  the  audit  objective. 
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Database  applications,  as  used  by  the  DFAS  Indianapolis  Center,  are  personal 
computer-based  and  end-user  developed  automated  products.  The  DFAS 
Indianapolis  Center  creates  a  database  application  through  the  use  of  advanced 
database  software  program  capabilities.  Advanced  capabilities  are  those 
inherent  in  commercial,  off-the-shelf,  database  software  that  allow  for  die 
coding  of  database  applications  solely  by  providing  specifications  to  the 
software's  programming  element.  A  database  application  is  the  result  of  the 
software's  coding  of  specifications  provided  by  the  developer  of  the  application. 
The  database  software  program  sets  the  application  code,  using  the  coding 
language  inherent  within  the  software  program. 

The  DFAS  Indianapolis  Center  uses  database  applications  as  analytical  tools 
applied  to  financial  data  submitted  by  field  accounting  entities.  The  analyses 
might  not  otherwise  be  performed  without  the  existence  of  database 
applications.  Database  applications  check  for  conditions,  such  as  abnormal 
general  ledger  account  (GLAC)  balances  and  variances  between  beginning  and 
ending  balances  during  the  fiscal  year.  Database  applications  also  assist  in 
financial  data  reconciliations  performed  by  the  DFAS  Indianapolis  Center. 
Database  applications  are  applied  to  GLACs  valued  in  the  billions  of  dollars. 

The  data  are  formed  into  a  primary  source  database  inserted  into  the 
Comprehensive  Reporting  System.  The  Comprehensive  Reporting  System  then 
formats  and  prints  the  financial  statements.  The  analyses  and  subsequent  actions 
resulting  from  database  application  ouq)ut  are  intended  to  provide  a  measure  of 
assurance  that  financial  values  presented  in  the  financial  statements  do  not 
reflect  incorrect  GLAC  balances. 

At  least  16  database  applications  were  used  by  the  DFAS  Indianapolis  Center 
during  the  compilation  of  the  Army  financial  statements.  All  were  used  to 
process  data  submitted  by  field  accounting  entities  through  their  monthly  general 
ledger  trial  balance  (GLTB)  submissions  and  from  other  sources.  The 
16  database  applications  are  discussed  below. 

0  Reconciliation  of  the  Yearend  Closing  Statement  to  Status  of 
Appropriations  Data.  A  reconciliation  is  performed  of  the  Yearend  Closing 
Statement  (Financial  Management  Service  Form  2108)  to  Army  status  of 
appropriations  data,  stored  in  the  Departmental  Budgetary  Accounting  and 
Reporting  System  (DBARS),  a  segment  of  HQARS.  The  application  is  run  just 
before  the  beginning  of  the  CFO  reporting  process.  The  application  is  run  to 
guarantee  that  the  status  data  being  extracted  from  DBARS  for  reconciliations 
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between  the  submitted  GLTBs  and  status  data  accurately  reflect  what  was 
reported  in  the  Yearend  Closing  Statement.  If  differences  are  identified, 
DEARS  data  are  adjusted  to  agree  with  the  certified  Yearend  Closing  Statement. 

0  Reconciliation  of  the  Balance  Forward  to  the  Treasury  Trial 
Balance.  This  application  allows  for  the  reconciliation  of  net  expenditures 
recorded  by  the  DFAS  Indianapolis  Center  to  net  expenditures  recorded  by  the 
U.S.  Treasury.  The  reconciliation  is  performed  monthly,  at  the  appropriation 
level,  for  Treasury  Index  21  appropriations.  On-line  ou^ut  from  the  Treasury 
is  compared  to  a  DEARS  query.  The  value  of  the  FY  1996  DEARS  net 
expenditures  subjected  to  the  application  was  about  $62.3  billion,  covering 
214  appropriations.  Reconciling  adjustments,  when  needed,  are  made  to 
GLACs  maintained  by  the  DFAS  Indianapolis  Center,  in  order  to  match  the 
appropriation-level  balances  with  the  balances  reported  by  the  Treasury. 

o  Reconciliation  of  Transaction  Report  Code  to  General  Ledger 
Account-Fiscal  Station  Level.  This  application  allows  for  the  reconciliation  of 
GLTE  data  to  selected  values  from  status  system  reports  at  the  fiscal  station 
level.  The  output  is  used  to  adjust  GLTE  data  to  the  data  in  DEARS.  This 
application  is  performed  as  part  of  the  yearend  closing  of  fiscal  station  books 
against  what  is  contained  in  DEARS.  TTie  yearend  absolute  value  of  FY  1996 
GLTE  data  subjected  to  the  application  was  about  $1.7  trillion. 

o  Reconciliation  of  Transaction  Report  Code  to  General  Ledger 
Account-Operating  Agency  Level.  This  application  allows  for  the 
reconciliation  of  GLTE  data  to  selected  values  from  selected  status  system 
reports  at  the  Operatmg  Agency  level.  The  ou^ut  is  used  to  adjust  GLTE  data 
to  what  is  contained  in  DEARS.  This  reconciliation  is  performed  as  part  of  the 
fiscal  yearend  closing  of  Operating  Agency  books  against  data  contained  in 
DEARS.  The  yearend  absolute  value  of  FY  1996  GLTE  data  subjected  to  the 
application  was  about  $1.7  trillion. 

0  Transaction  Report  Code  Extract  From  Status.  This  application 
allows  for  a  reconciliation  of  Yearend  Closing  Statement  data  against  status 
data,  using  an  associated  Transaction  Report  Code  to  financial  statement  line 
item  matrix,  applied  to  the  Financial  Resources  line  items  from  the  Statement  of 
Financial  Position.  The  reconciliation  resulted  in  about  $127.8  billion  in 
adjustments  to  the  SOURCE21  database  for  FY  1996. 

o  More  Than  $250  Million  Variance  Check.  This  application 
identifies  selected  asset,  equity,  and  budgetary  GLACs  exceeding  a  selected 
dollar  threshold,  which  may  be  less  than  $250  million,  depending  on  the  GLAC 
being  examined.  DFAS  Indianapolis  Center  personnel  and  personnel  from  the 
appropriate  field  accounting  office  research  the  identified  GLACs.  Adjustments 
are  made  to  the  SOURCE21  database  on  an  as-needed  basis. 
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0  Abnormal  Balance  Check  for  Inventory  and  Fixed  Assets.  This 
application  determines  the  fixed  asset  and  inventory  GLACs  having  an  ending 
balance  either  above  what  was  expected  or  that  was  not  considered  normal.  The 
affected  GLACs  are  the  1500,  1700,  1800,  and  1900  series.  DFAS 
Indianapolis  Center  personnel  and  personnel  from  the  appropriate  field 
accounting  office  research  the  identified  GLACs.  Adjustments  are  made  to  the 
SOURCE21  database  on  an  as-needed  basis.  The  value  of  FY  1996  transactions 
subjected  to  the  application  was  about  $165.1  billion,  covering  31  GLACs. 

o  Variance  Check  for  Inventory,  Fixed  Assets,  and  Accrued  Leave. 
This  application  compares  prior  fiscal  year  ending  balances  for  the  GLAC  series 
with  the  current  fiscal  year  ending  balances  and  identifies  the  differences. 
GLACs  with  variances  of  exactly  100  percent  or  that  exceed  150  percent  of  the 
prior  year's  balances  are  identified.  Variations  are  researched  and  adjustments 
are  made  to  the  SOURCE21  database  on  an  as-needed  basis.  The  value  of 
FY  1996  transactions  subjected  to  the  application  was  about  $160.6  billion, 
covering  39  GLACs. 

o  Reconciliation  of  Status  to  SOURCE21.  This  application  allows  for 
the  reconciliation  of  selected  GLTB  data  and  certified  status  data.  Output  is 
used  to  prepare  standard  pro-forma  adjustments  to  GLTB  data  to  match  the 
certified  status  data.  This  application  assures  that  the  SOURCE21  database 
accurately  reflects  what  was  reported  in  the  Army’s  certified  yearend  reports. 

o  Status  to  SOURCE21  Adjustments.  This  application  allows  for  a 
review  of  the  pro-forma  adjustments  created  by  the  Reconciliation  of  Status  to 
SOURCE21  application  and  revises  the  adjustments  to  meet  unique  reporting 
requirements.  DFAS  Indianapolis  Center  personnel  edit  and  balance  tibe 
adjustments  before  updating  the  SOURCE21  database. 

o  Canceled  Year  Adjustments.  This  application  computes  canceled 
year  adjustments  for  specific  GLACs.  DFAS  Indianapolis  Center  personnel 
review  the  adjustments  before  they  are  entered  into  the  FFS. 

o  GLAC  5700  Adjustments.  This  application  computes  the 
GLAC  5700  (Appropriated  Capital  Used)  adjustments.  DFAS  Indianapolis 
Center  personnel  review  the  adjustments  before  updating  the  SOURCE21 
database.  Adjustments  post  to  the  Appropriated  Capital  Used  account  in 
accordance  with  DoD  and  U.S.  Treasury  guidance. 

o  Cumulative  Results  Adjustments.  This  application  computes  the 
adjustments  for  Cumulative  Results  of  Operations.  DFAS  Indianapolis  Center 
personnel  review  the  adjustments  before  updating  the  SOURCE21  database. 
Adjustments  eliminate  cumulative  results  from  general  fund  trial  balances  in 
accordance  with  DoD  guidance. 
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o  Elimination  Adjustments.  This  application  computes  the  Intra-Army 
Elimination  adjustments.  DFAS  Indianapolis  Center  personnel  review  the 
adjustments  before  updating  the  SOURCE21  database. 

o  General  Adjustments— SOURCE21.  This  application  provides  the 
capability  to  input  nonautomated  adjustments  and  manual  trial  balance  data  into 
the  SOURCE21  database.  DFAS  Indianapolis  Center  personnel  edit  and 
balance  the  data  before  updating  the  SOURCE21  database. 

o  Comprehensive  Reporting  System.  The  Comprehensive  Reporting 
System  is  a  Windows-driven  application  capable  of  performing  DoD  financial 
reporting  at  the  consolidating  level.  This  application  generates  a  variety  of  CFO 
and  DoD-level  reports.  For  FY  1996,  the  Comprehensive  Reporting  System 
generated  Army  financial  statements  with  total  assets  of  about  $201  billion  and 
total  expenses  of  about  $64.7  billion.  The  Comprehensive  Reporting  System 
uses  the  SOURCE21  database  as  the  primary  data  source,  in  conjunction  with 
three  subsidiary  tables,  to  generate  the  financial  statements. 

Initial  financial  data  are  contained  in  two  accounting  systems,  the  HQARS  and 
the  FFS.  Internal  queries  are  applied  to  select  account  balances,  either  at  the 
field  accounting  office  level  or  as  an  overall  balance,  for  further  examination. 
Query  output  is  saved  as  separate  database  files.  Database  applications  are 
applied  to  the  ouq)ut  database  files.  Those  files  are  printed  and  analyzed  by 
DFAS  Indianapolis  Center  personnel  or  other  field  accounting  entity  personnel, 
based  on  the  intent  of  the  application.  Once  analyses  have  been  completed, 
adjustments  are  made  to  the  initial  financial  data  on  an  as-needed  basis.  The 
figure  below  shows  the  flow  of  financial  data  through  database  applications. 


Flow  of  Information  Through  Database  Applications 
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The  primary  reasons  for  fhe  increased  use  of  database  applications  since  the 
beginning  of  CFO  financial  reporting  include  ease  of  use,  relative  ease  of 
development,  the  ability  to  tailor  queries  to  specific  end-user  needs,  and  quick 
mrnaround  time  for  obtaining  results.  The  use  of  database  applications  gives 
the  DFAS  Indianapolis  Center  the  ability  to  perform  financial  data  analyses  that 
might  not  otherwise  have  been  performed,  ^en  properly  controlled,  database 
application  output  will  detect  abnormal  and  incorrect  ^ancial  values  and  will 
allow  the  DFAS  Indianapolis  Center  to  correct  errors  before  they  appear  on  the 
Army  financial  statements. 
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Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  (Comptroller) 

Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Assistant  Secretary  of  Defense  (Public  Affairs) 

Director,  Defense  Logistics  Studies  Information  Exchange 


Department  of  the  Army 

Auditor  General,  Department  of  the  Army 


Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Navy 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 


Other  Defense  Organizations 

Director,  Defense  Contract  Audit  Agency 
Director,  Defense  Finance  and  Accounting  Service 

Director,  Defense  Finance  and  Accounting  Service  Indianapolis  Center 
Director,  Defense  Logistics  Agency 
Director  National  Security  Agency 

Inspector  General,  National  Security  Agency 
Inspector  General,  Defense  Intelligence  Agency 
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Appendix  C.  Report  Distribution 


Non-Defense  Federal  Organizations  and  Individuals 

Office  of  Management  and  Budget 

Technical  Infonnation  Center,  National  Security  and  International  Affairs  Division, 
General  Accounting  Office 

Chairman  and  ranking  minority  member  of  each  of  the  following  congressional 
committees  and  subcommittees: 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  National  Security,  Committee  on  Appropriations 
House  Committee  on  Government  Reform  and  Oversight 

House  Subcommittee  on  Government  Management,  Information,  and  Technology, 
Committee  on  Government  Reform  and  Oversight 
House  Subcommittee  on  National  Security,  International  Affairs,  and  Criminal 
Justice,  Committee  on  Government  Reform  and  Oversight 
House  Committee  on  National  Security 
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Part  III  -  Management  Comments 


Defense  Finance  and  Accounting  Service 
Comments 


DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 


1931  JEFFERSON  DAVIS  HIGHWAY 
ARLINGTON.  VA  22240-5291 


.'JPP  I  2  1997 


MEMORANDUM  FOR  DIRECTOR,  FINANCE  AND  ACCOUNTING  DIRECTORATE, 
OFFICE  OF  THE  INSPECTOR  GENERAL,  DEPARTMENT 
OF  DEFENSE 

SUBJECT:  Response  to  Department  of  Defense,  Inspector 
General  Draft  Report,  "Control  of  Database 
Applications  at  the  Defense  Finance  and  Accounting 
Service,  Indianapolis  Center,"  dated  July  3,  1997 
(Project  No,  5FI-2012.02) 

The  attachment  outlines  Defense  Finance  and  Accounting 
Service's  (DFAS)  response  to  the  Department  of  Defense, 
Inspector  General  Draft  Report  on  DFAS  Indianapolis  Center's 
management  and  maintenance  of  database  applications. 

Any  further  issues  or  questions  regarding  this  matter 
can  be  directed  to  my  point  of  contact,  Mr.  Richard  Farrow, 
DFAS-HQ/SC,  703-607-3967. 


Attachment 
as  stated 
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Response  to  DoD  IG  Draft  Report,  Project  Mo.  SFI-2Q12.02 

OFAS  concurs  with  the  overall  intent  of  the  findings 
and  reconunendations.  However,  there  are  several  technically 
inaccurate  statements  and  representations  in  the  report. 
First,  when  the  report  refers  to  database  applications,  we 
believe  it  is  referring  to  PC  based  end  user  developed  small 
database  applications  and  not  database  applications  that  are 
developed  within  our  software  development  coroniunity  and  part 
of  our  formal  system  structure.  Second,  the  report's 
findings  do  not  apply  to  the  audit's  16  database 
applications,  but  rather  to  other  PC  based  -end  user 
developed  database  applications  not  involved  with  the 
compilation  of  the  Army  general  fund  financial  statements. 
Third,  while  the  report  refers  to  the  Financial  System 
Organization  as  being  responsible  for  establishing  policies 
governing  the  DFAS-IN  Center,  this  is  not  correct.  Policies 
governing  the  Centers  efforts  with  information  management 
are  the  responsibility  of  the  Information  Management 
Deputate  at  DFAS-HQ. 

Recommendation  1:  Director,  Financial  System  Organization 
(FSO)  develop  policy  that  requires  management  control 
procedures  for  database  applications  at  the  Defense  Finance 
and  Accounting  Service  (DFAS}  Centers. 

Comment:  Concur  in  principle,  but  not  as  stated.  First, 

DFAS  has  policies  governing  the  Management  controls  over  all 
information  management  systems.  These  policies  are 
published  in  the  DFAS  8000. 1-R  regulation.  Our  policy 
applies  to  all  systems,  without  regard  to  which  hardware 
platform  a  system  operates  on.  Second,  these  policies  are 
the  responsibility  of  DFAS-HQ  Information  Management 
Deputate  and  not  the  Financial  Systems  organization.  And 
finally,  we  concur  in  principle  in  as  much  as  auditors  did 
not  recognize  that  these  policies  covered  all  systems 
efforts,  and  we  need  to  strengthen  these  policies  and 
publicize  the  fact  that  these  policies  do  in  fact  cover  all 
systems  efforts.  To  accomplish  this,  we  will  update  our 
policies  and  issue  a  notification  from  DFAS-HQ. 


Recommendation  2:  Director,  Defense  Finance  and  Accounting 
Service,  Indianapolis  Center  (DFAS-IN)  implement  policy  that 
requires  management  control  procedures  for  the  development 
and  maintenance  of  database  applications. 


a.  Training  personnel  on  the  development  of  database 
applications . 


Attachment 


Final  Report 
Reference 


Revised 
Page  2 


Revised 
Page  5 
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b.  Testing  output  data  from  new  database  applications 
and  retaining  management  approved  test  plans,  documentation, 
and  conclusions  in  a  secure  central  location. 

c.  Requiring  management  approval  of  changes  to 
database  applications  and  output  testing  of  changed 
applications  before  they  are  used. 

d.  Implement  a  change  control  program  for  database 
applications,  including  preparing  and  updating  a  catalog  of 
database  applications  used  to  compile  the  Army  financial 
statements. 

Comment:  Concur.  We  will  ensure  DFAS  personnel  implement 
the  DFAS  policy  which  in  fact  covers  items  b,  c  and' d  of 
this  recommendation.  As  for  item  a,  we  will  train  our 
personnel  on  the  proper  controls  of  all  systems  and 
applications  and  require  that  the  development  of  any 
application  or  system  that  supports  the  DFAS  mission  be 
perfomed  by  the  trained  staff  that  has  the  responsibility 
within  DFAS  for  system  development. 
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DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 

l»ai  JCPrERSOM  DAVIS  MICHWAV 
AAlindTDK.  VA22240-»29I 


DFAS“Hft/S 


MEMORANDUM  FOR  DIRECTOR,  FINANCE  AND  ACCOUNTING  DIRECTORATE, 
OFFICE  OF  THE  INSPECTOR  GENERAL,  DEPARTMENT 
OF  DEFENSE 


SUBJECT:  Response  to  Department  of  Defense,  Inspector 
Genexel  Draft  Rcpoit,  "Control  of  Database 
Applications  at  the  Defense  Finance  and  Accounting 
Service,  Indianapolis  Center,"  dated  July  3,  1597 
f Project  No,  5FI-2012,Cl2) 


In  regard  to  our  September  12,  193?,  tnemorandum  same 
subject,  the  following  clarification  is  provided  per  your 
request. 

-  At  the  time  of  publication  of  the  audit  report,  the  16 
applications  which  were  the  focus  of  the  audit  had  been  brought 
into  compliance  with  required  management  control  procedures. 

-  The  written  policy  to  be  prepared^  by  OFAS-HQ  in  conjunction 
with  this  finding  has  been  included  in  DPAS  aoOd.i-R,  Chapter  2, 
as  of  October  IS,  1997. 

DFAS  point  of  contact  for  this  action  is  Mr.  Richard  Farrow, 
DFAS-HO/SC,  703-607-3967. 


Robert  E. 

Deputy  Director  for 
Information  Management 


Audit  Team  Members 

The  Finance  and  Accounting  Directorate,  Office  of  the  Assistant  Inspector 
General  for  Auditing,  DoD,  produced  this  report. 

F.  Jay  Lane 
Richard  B.  Bird 
John  J,  Victor 
Paul  C.  Wenzel 
Craig  W.  Zunmerman 
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